Apple Lawsuit Goes After Spyware Firm NSO Group

Originally published at: Apple Lawsuit Goes After Spyware Firm NSO Group - TidBITS

Apple has sued the notorious NSO Group and will be funding two prominent research groups that specialize in discovering and describing cyber surveillance attacks. These moves appear to be the first step in a new strategy against companies that weaponize operating system flaws to profit off surveillance.

Apple says it will also notify users who it believes are being targeted by state-sponsored spyware attacks.

Read what Apple said - I don’t want my stuff hacked either - but couldn’t find what law is being broken? Or settled cases in the area to support Apple’s position.
David

Hacking is a federal offense in the US:

All 50 of the US states also have anti hacking laws:

https://www.ncsl.org/research/telecommunications-and-information-technology/computer-hacking-and-unauthorized-access-laws.aspx

It’s a great question. We’re focusing on the impact rather than getting into the minutiae, but it’s pretty interesting. We included Apple’s broad statement, and then (as this is civil, one private party against the other, not criminal) Apple has to state the actual violations it claims harmed it in exquisite detail.

The specific claims start at page 16 in the lawsuit. They include things like:

Violation of 18 U.S.C. § 1030(a)(2), (a)(4)
they knowingly and with the intent to defraud accessed the operating system on Apple’s users’ devices without authorization using information from Apple’s servers and then installed highly invasive spyware on those Apple users’ devices, and by means of such conduct furthered the intended fraud and obtained something of value

and

Damage to Apple User Devices In Violation Of 18 U.S.C. § 1030(a)(5)
they knowingly caused the transmission of a program, information, code, and/or command, specifically the commands needed to carry out the exploits described above, as well as the Pegasus spyware itself, to Apple’s servers, and as a result of such conduct intentionally caused damage without authorization to the operating system on Apple’s users’ devices, including by installing their Pegasus spyware

But Apple is also pursuing violations of California law (" 80. unlawful acts or practices in the conduct of business, in violation of California’s Business and Professions Code Section 17200") and breach of contract.

That last bit is clever. NSO Group members created Apple ID accounts, which means they agreed to the terms of service, including how disputes were handled. “The iCloud Terms constitute binding and enforceable contracts between Defendants and Apple.”

So in the article we discuss what Apple alleges NSO Group did; in the lawsuit, they break down precisely on what basis they want financial and injunctive relief from a court.

These aren’t criminal charges; it’s a lawsuit, which is a civil action among parties. There’s no opportunity for NSO Group to face fines or its officers prison terms; instead, Apple can only appeal for injunctions (NSO Group barred from all sorts of things) and for relief (money!).

That’s a PDF, but I’m still going to clarify that it’s a civil offense, not a criminal one. (“Federal offense” doesn’t explain that it doesn’t involve criminal charge, as that could mean criminal or civil.)

I’ve read some of the hacking laws and the info just sent by MMTalker.

As I understood it, NSO developed tools - but didn’t do the hacking. Kind of like, developing a chain cutter - but not cutting the chain to the gate. I expect their position is that any actions on their part wrt apple systems were lawful. Perhaps, Apple should be suing those who used the tools?

Are there lawful purposes the tools could be used for?

That’s why I was asking what specific law Apple was accusing them of breaking.

David

That’s a whole other discussion. NSO Group’s clients are governments and the actions are always without the knowledge and consent of the party being hacked. It is very rare that a tools such as that deployed against people has legal and legitimate uses except in very narrow cases as defined in certain countries.

In repressive countries, such tools can be used either because the country doesn’t have laws about government use, has laws that allow it, or violate laws on the books without repercussions.

More to your analogy, a chain cutter can’t only be used to cut other people’s chains. DRM circumvention tech, as an example, as a huge number of legitimate purposes, and is deployed typically by individuals; an individual cannot purchase NSO Group technology and, if so, they have no legitimate purpose as an individual to put it to.

Again, read the lawsuit for Apple’s precise description of what they allege NSO Group has done. NSO Group has put forth the notion they are simply a tool developer, but that’s not what’s emerged in reporting, U.S. Commerce Department orders, and court cases: they are reportedly actively involved in various ways in supporting the operation of the tool.

I like what Apple is doing here and it appears they’re being smart about it too. :slight_smile:

I just have to wonder if they’d be even more successful at this if they increased their bounties for exploits and offered more encouragement among the community to actively search for and report any flaws. Sure, it’s not great press when a zero-day gets found in your flagship OS, but it would be far worse press if you didn’t find it and it ends up getting used in the murder of a dissident. Plus, with a generous bounty program you get to very publicly advertise your virtuous intents.

There’s a good one page summary here, and it includes details of penalties as well as links to the laws of all 50 US states:

The Computer Fraud and Abuse Act (CFAA) is the leading federal anti-hacking legislation that prohibits unauthorized access to another’s computer system. Although the law was originally meant to protect the computer systems of U.S. government entities and financial institutions, the scope of the Act expanded with amendments to include practically any computer in the country (including devices such as servers, desktops, laptops, cellphones, and tablets).

And here’s details of a US Supreme Court judgement, though it is not Apple specific:

1 Like

Except NSO isn’t a US company, they’re not operating on US soil, they have not sold their products to the US government and (from what I’ve read elsewhere), they have taken deliberate steps to prevent their software from being used to target US citizens.

So it’s highly doubtful that US law enforcement has standing to do anything in a criminal court. The fact that some of the people targeted are using equipment sold by a US company isn’t going to be enough of a basis.

It will be interesting to see if the court believes Apple has standing, since any damages are against Apple’s customers, not Apple itself. Unless they have evidence that NSO hacked Apple’s servers, not just user’s phones.

A US government blacklist is not exactly a lawsuit, but it’s close and could move in that direction:

“ NSO Group and Candiru (Israel) were added to the Entity List based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers. These tools have also enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent. Such practices threaten the rules-based international order.”

“ The ban would prohibit American firms from selling technology to NSO Group and its subsidiaries. Dell and Microsoft were alerted earlier that NSO Group would be added to the blacklist, according to two people briefed on the calls but unauthorized to speak publicly about them.”

And Facebook/Meta has hauled NSO into the US justice system:

1 Like

This is NOT a criminal prosecution (which a private company can’t initiate.) It’s a civil lawsuit for damages from conduct that Apple alleges is contrary to the agreements that NSO signed and contrary to commercial law. Apple clearly lays down the kinds of damages it believes they’ve suffered. (It is worth reading Apple’s filing, posted again as a reminder to do so: https://www.apple.com/newsroom/pdfs/Apple_v_NSO_Complaint_112321.pdf )

What I really don’t understand is what Apple expects to get if/when they win. NSO is unlikely to pay any attention to a legal prohibition against hacking or against false accounts on iCloud, etc. I’m guessing they think they can go after some money associated with US sponsors (but there are substantial limits on that liability.) I’m presuming Apple has more in mind than just winning a judgement and bringing attention to the problem…

add: Israel is feeling the heat! Israel restricts cyberweapons export list by two-thirds, from 102 to 37 countries - The Record by Recorded Future

1 Like

Now it seems like NSO Group spyware was used against the US State Department.

Should the government develop its phones (or modified iOS for its phones) that government employees use for government business?
David

No, absolutely not. Dangerous, and probably impossible for “the government” to do right.

They sort of do that already, at least in certain use cases. I remember the big ballyhoo over Obama’s Blackberry and how they had to lock it down so pretty much nothing worked.

1 Like